Sign in to follow this  
CardinalKlassen

HiJackThis Log

Recommended Posts

Logfile of HijackThis v1.99.1

Scan saved at 10:52:56 AM, on 1/18/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Documents and Settings\Sarah Klassen\Desktop\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKLM\..\RunServices: [Windows Network Service] winvc32.exe

O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/18f40c4a7aa8de90ef19/netzip/RdxIE2.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095648174876

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169004032048

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tri...?rand=200322622

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

Share this post


Link to post
Share on other sites

Hello ElvisAaron, my name is David, welcome to Lavasoft!

 

My first remark is to say that yes, unfortunately you are infected. To be more specific, from the Hijackthis log you posted I can see you are infected with Sdbot trojans/worms, which are capable of backdoor activity. To be brief, due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. Disconnect the infected computer from the internet until the computer can be cleaned. From a clean computer, change your online passwords-- for email, for banks, eBay, forums etc.... Do not change passwords or do any transactions while using the infected computer because the attacker may get the new passwords and transaction information.

 

I've research the entries, and found this information, in case you find it useful:

 

W32/Rbot-M contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process. W32/Rbot-M spreads to network shares with weak passwords as a result of the backdoor Trojan element receiving the appropriate command from a remote user.

 

So, that's the first thing, I recommend you change your passwords.

Here are two useful links, in case you wish to read more on the infection you have:

http://www.trendmicro.com/vinfo/virusencyc...ERY&VSect=T

http://www.sophos.com/virusinfo/analyses/w32rbotm.html

 

Ok, now onto the removal, please follow these instructions exactly as posted, it's important. Also it is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

 

Open hijackthis, click 'config' (bottom right) Choose the tab 'misc Tools' on top.

Choose 'delete a file on reboot'. In the field, copy and paste the filepath a few lines below.

Click open. Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.

When asked if you want to reboot now, say No.:

C:\WINDOWS\system32\winvc32.exe

 

Please do the same for this file:

C:\WINDOWS\system32\wuam.exe

 

When asked to reboot, please choose Yes. Your system will reboot now.

 

I'm not sure whether the infection you have comes with an uninstallers, but let's check.

Click on start, then control panel, and then double-click on add/remove programs.

From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

 

IncrediFind

eUniverse

Ebates Moe Money Maker (don't be concerned if you can't find them, it's more of a reassurance check)

 

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

 

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

 

O2 - BHO: NavErrRedir Class - {0199DF25-9820-4bd5-9FEE-5A765AB4371E} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL (file missing)

O4 - HKLM\..\RunServices: [Windows Network Service] winvc32.exe

O4 - HKLM\..\RunServices: [Microsoft Update Time] wuam.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/18f40c4a7aa8de90ef19/netzip/RdxIE2.cab

O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)

O16 - DPF: {9DBAFCCF-592F-FFFF-FFFF-00608CEC297C} - http://download.weatherbug.com/minibug/tri...?rand=200322622

 

Click on Fix Checked when finished and exit HijackThis.

Make sure your Internet Explorer is closed when you click Fix Checked!

 

Now reboot into Safe Mode.

This can be done tapping the F8 key as soon as you start your computer

You will be brought to a menu where you can choose to boot into safe mode.

Make sure you choose the option without networking support.

 

Please find and delete this folder if it's present:

C:\Program Files\incredifind <--folder

 

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

 

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

(Report.txt will also be copied to Clipboard ready for posting back on the forum).

Finally paste the contents of the Report.txt back on the forum in your next reply.

 

Download Bobbi Flekman's RegSearch from

http://www.bleepingcomputer.com/files/regsearch.php

 

Create a folder for RegSearch on the C: drive called C:\RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch. Extract all the files from the zip archive into that folder.

 

Open the RegSearch folder and double-click the icon for RegSearch.exe to launch the program.

Copy / Paste the following line into the top Search Box:

 

winvc32

 

then on the second line down paste the following:

 

wuam

 

Now hit OK. After completion Notepad will be opened with all the found instances of the string. The resulting file is saved in the same location as RegSearch.exe

 

Run HijackThis.

On the first menu, click Open the Misc Tools Section

Click Open Uninstall Manager

Click Save List - Save it anywhere.

A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

 

In your next reply I need 4 logs:

1) New Hijackthis log

2) Sdfix log

3) Uninstall list from Hijackthis

4) The regsearch log

 

You may need to split them up, sometimes there is a restriction on the quantity of writing you can post at a time.

After that, if everything goes to plan, I want to give the AVG program you have installed a run in safe mode.

If you have any questions, please don't hesitate to ask at any time.

Share this post


Link to post
Share on other sites

David, Thanks for your assistance. I followed your instructions to the "T". The only step that was non existing was when you requested the deletion of "C:\Program Files\incredifind". This was not found on the HD.

 

Below are my logs per your request:

 

Logfile of HijackThis v1.99.1

Scan saved at 11:40:17 AM, on 1/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

C:\Documents and Settings\Sarah Klassen\Desktop\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095648174876

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169004032048

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

 

Sdfix log:

 

 

SDFix: Version 1.60

 

Fri 01/19/2007 - 12:57:14.41

 

Microsoft Windows XP [Version 5.1.2600]

 

Running From: C:\SDFix

 

Safe Mode:

Checking Services:

 

Name:

 

Path:

 

 

Restoring Windows Registry Entries

Restoring Default Hosts File

 

 

Rebooting...

 

Normal Mode:

Checking Files:

 

Files will be copied to Backups folder and removed:

 

C:\WINDOWS\system32\TFTP1168 - Deleted

C:\WINDOWS\system32\TFTP1372 - Deleted

C:\WINDOWS\system32\TFTP1540 - Deleted

C:\WINDOWS\system32\TFTP1644 - Deleted

C:\WINDOWS\system32\TFTP1760 - Deleted

C:\WINDOWS\system32\TFTP2216 - Deleted

C:\WINDOWS\system32\TFTP3144 - Deleted

C:\WINDOWS\system32\TFTP392 - Deleted

C:\WINDOWS\system32\TFTP4840 - Deleted

C:\WINDOWS\system32\TFTP4880 - Deleted

C:\WINDOWS\system32\TFTP6076 - Deleted

C:\WINDOWS\system32\TFTP628 - Deleted

C:\WINDOWS\system32\TFTP932 - Deleted

 

 

 

Alternate Streams Check:

 

C:\WINDOWS\system32

No streams found.

 

Final Check:

 

Remaining Services:

------------------

 

 

Authorized Application Key Export:

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Disabled:Messenger"

"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

 

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

 

 

Remaining Files:

---------------

 

Backups Folder: - C:\SDFix\backups\backups.zip

 

 

Checking For Files with Hidden Attributes :

 

C:\NTDETECT.COM

C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe

C:\WINDOWS\system32\cdplayer.exe.manifest

C:\WINDOWS\system32\logonui.exe.manifest

C:\IO.SYS

C:\MSDOS.SYS

C:\pagefile.sys

C:\Documents and Settings\Sarah Klassen\My Documents\~WRL0001.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\~WRL0002.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\~WRL0005.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\~WRL0837.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\~WRL1028.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\~WRL1103.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\~WRL2370.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\~WRL2682.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\~WRL3505.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\~WRL3669.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Jamaica\~WRL0004.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Jamaica\~WRL0659.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Jamaica\~WRL0717.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Jamaica\~WRL0823.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Jamaica\~WRL0885.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Jamaica\~WRL1273.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Jamaica\~WRL2525.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Jamaica\~WRL2532.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Jamaica\~WRL2542.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Jamaica\~WRL3514.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Psalms & Wisdom Literature\~WRL0001.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Psalms & Wisdom Literature\~WRL1016.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Youth Homiletics\~WRL0146.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Youth Homiletics\~WRL0682.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Youth Homiletics\~WRL0727.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Youth Homiletics\~WRL1962.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Youth Homiletics\~WRL2113.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Youth Homiletics\~WRL2248.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Youth Homiletics\~WRL3434.tmp

C:\Documents and Settings\Sarah Klassen\My Documents\Youth Homiletics\~WRL4062.tmp

C:\WINDOWS\system32\config\default.tmp.LOG

C:\WINDOWS\system32\config\software.tmp.LOG

C:\WINDOWS\system32\config\system.tmp.LOG

 

Finished

 

Uninstall list from Hijackthis:

 

Abacast Version 1.25f1

Ad-Aware SE Personal

Adobe Download Manager 1.2 (Remove Only)

Adobe Flash Player 9 ActiveX

Adobe Reader 6.0

Adobe Shockwave Player

AOL Instant Messenger

AppCore

AV

AVG Anti-Spyware 7.5

ccCommon

D-Link AirPlus Xtreme G

Free Tetrix

HijackThis 1.99.1

Hotfix for Windows XP (KB914440)

Hotfix for Windows XP (KB915865)

iPod for Windows 2006-01-10

iTunes

J2SE Runtime Environment 5.0 Update 10

Kazaa Media Desktop 2.1

LiveUpdate 3.1 (Symantec Corporation)

Microsoft Data Access Components KB870669

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office XP Media Content

Microsoft Office XP Small Business

Microsoft Office XP Standard for Students and Teachers

Mozilla Firefox (2.0.0.1)

MSN Gaming Zone

MSN Messenger 5.0

MSRedist

Norton AntiVirus

Norton Confidential Browser Component

Norton Confidential Web Protection Component

Norton Internet Security

Norton Internet Security

Norton Internet Security

Norton Internet Security

Norton Internet Security (Symantec Corporation)

Norton Protection Center

Panda ActiveScan

QuickTime

S3 Gamma Utility

S3DuoVue Utility

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896422)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB911280)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911567)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912812)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913446)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB916281)

Security Update for Windows XP (KB917159)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917422)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB918439)

Security Update for Windows XP (KB918899)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920214)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB921398)

Security Update for Windows XP (KB921883)

Security Update for Windows XP (KB922616)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923694)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924191)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB925454)

Security Update for Windows XP (KB926255)

SENS Keyboard V2 Driver

Shockwave

Snood for Windows version 3.01-W

SPBBC 32bit

Symantec Technical Support Web Controls

SymNet

Synaptics TouchPad

The Youth Assistant Special Edition

U.S. Robotics V.90 MPCI Modem 556B

Update for Windows XP (KB894391)

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB904942)

Update for Windows XP (KB908531)

Update for Windows XP (KB910437)

Update for Windows XP (KB916595)

Update for Windows XP (KB920872)

Update for Windows XP (KB922582)

Viewpoint Manager (Remove Only)

Viewpoint Media Player

Windows Installer 3.1 (KB893803)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Media Format Runtime

Windows Media Player 10

Windows XP Hotfix - KB834707

Windows XP Hotfix - KB867282

Windows XP Hotfix - KB873333

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB885250

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB885884

Windows XP Hotfix - KB886185

Windows XP Hotfix - KB887472

Windows XP Hotfix - KB887742

Windows XP Hotfix - KB888113

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890047

Windows XP Hotfix - KB890175

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB890923

Windows XP Hotfix - KB891781

Windows XP Hotfix - KB893066

Windows XP Hotfix - KB893086

Windows XP Service Pack 2

 

The RegSearch log:

 

Windows Registry Editor Version 5.00

 

; Registry Search 2.0 by Bobbi Flekman © 2005

; Version: 2.0.2.0

 

; Results at 1/20/2007 11:34:13 AM for strings:

; 'winvc32'

; 'wuam'

; Strings excluded from search:

; (None)

; Search in:

; Registry Keys Registry Values Registry Data

; HKEY_LOCAL_MACHINE HKEY_USERS

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft Update Time]

"item"="wuam"

"command"="wuam.exe"

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Network Service]

"item"="winvc32"

"command"="winvc32.exe"

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]

"c"="C:\\WINDOWS\\system32\\winvc32.exe"

"d"="C:\\WINDOWS\\system32\\wuam.exe"

 

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\exe]

"a"="C:\\WINDOWS\\system32\\winvc32.exe"

"b"="C:\\WINDOWS\\system32\\wuam.exe"

 

; End Of The Log...

 

 

David, thanks again for your help,

 

Aaron

Share this post


Link to post
Share on other sites

Very good! ;)

 

We've got a few more things to do before I let you go though.

 

I can see a few entries from the registry that need to be removed, they are not really harmfull, but I think it's best we delete them. The other entries from the regsearch are from your MRU section of the registry. It's hard to explain, but the key where the infected files appear to be coming from is a list of recently opened/saved .exe files so it looks as though you actually opened the two infected files we deleted, yourself. I could be wrong, so don't get worried, but in the future make sure that you know what you are clicking on before opening files.

 

I see you have Viewpoint installed.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove any programs related to Viewpoint if present

 

Please open notepad and and copy and paste next bold in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT4

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft Update Time]

 

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Windows Network Service]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.

It should look like this: reg8ip.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

 

I then want to scan the computer for any more leftovers that may be lurking around.

 

Please perform this online scan: Kaspersky Webscan

Read the Requirements and Privacy statement, then select "Accept"

A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab

Select "Install" to download the ActiveX controls that allows ActiveScan to run.

 

When the download is complete it will say ready, click "Next"

Select a target to scan: Click on "My Computer"

When the scan is complete choose to save the results as "Save as Text"

Post the Kaspersky scan results in your next reply.

 

Please download Combofix to your desktop.

Doubleclick combo.exe to launch the application.

 

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt.

Post this log in your next reply together with a new hijackthislog.

 

In your next reply, post a new Kaspersky log, and the Combofix log! :)

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 5:12:06 PM, on 1/20/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Sarah Klassen\Desktop\HijackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095648174876

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169004032048

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

 

 

 

 

 

 

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Saturday, January 20, 2007 4:53:37 PM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.83.0

Kaspersky Anti-Virus database last update: 20/01/2007

Kaspersky Anti-Virus database records: 245901

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: standard

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

A:\

C:\

D:\

 

Scan Statistics:

Total number of scanned objects: 32804

Number of viruses found: 1

Number of infected objects: 1 / 0

Number of suspicious objects: 0

Duration of the scan process: 01:17:18

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-01-20_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\A80F18B2.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\D0B67FF1.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Sarah Klassen\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Sarah Klassen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Sarah Klassen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Sarah Klassen\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Sarah Klassen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Sarah Klassen\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Sarah Klassen\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{55D2E6EC-5D0D-4557-84A4-EA0A3BE37BA7}\RP158\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\etc\hosts.bak Infected: Trojan.Win32.Qhost.f skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

 

Scan process completed.

 

 

 

 

 

"Sarah Klassen" - 07-01-20 16:57:54 Service Pack 2

ComboFix 07-01-21 - Running from: "C:\Documents and Settings\Sarah Klassen\Desktop"

 

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\WINDOWS\system32\449166.exe

 

 

((((((((((((((((((((((((((((((( Files Created from 2006-12-20 to 2007-01-20 ))))))))))))))))))))))))))))))))))

 

 

2007-01-20 15:26 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2007-01-20 15:26 <DIR> d-------- C:\WINDOWS\LastGood

2007-01-20 11:28 <DIR> d-------- C:\RegSearch

2007-01-19 12:55 <DIR> d-------- C:\SDFix

2007-01-18 00:51 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-01-18 00:31 <DIR> d-------- C:\WINDOWS\system32\LogFiles

2007-01-17 21:33 <DIR> d-------- C:\WINDOWS\Sun

2007-01-17 21:33 <DIR> d-------- C:\DOCUME~1\SARAHK~1\Application Data\Sun

2007-01-17 21:28 <DIR> d-------- C:\Program Files\Java

2007-01-17 21:25 <DIR> d-------- C:\Program Files\Common Files\Java

2007-01-17 14:37 127,208 --a------ C:\WINDOWS\system32\mucltui.dll

2007-01-16 19:02 <DIR> d--h----- C:\WINDOWS\PIF

2007-01-16 10:41 <DIR> d-------- C:\Program Files\Symantec Technical Support

2007-01-16 09:09 48,776 --a------ C:\WINDOWS\system32\S32EVNT1.DLL

2007-01-16 09:09 115,000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS

2007-01-16 09:07 <DIR> d-------- C:\Program Files\Symantec

2007-01-15 22:32 <DIR> d-------- C:\Program Files\Norton Internet Security

2007-01-15 22:07 <DIR> d-------- C:\SymNoNav

2007-01-15 14:31 <DIR> d--h-c--- C:\WINDOWS\ie7

2007-01-15 10:54 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-01-15 10:54 <DIR> d-------- C:\Program Files\Grisoft

2007-01-15 09:32 <DIR> d-------- C:\WINDOWS\pss

 

 

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

2007-01-20 15:20 -------- d-------- C:\Program Files\Common Files\symantec shared

2007-01-20 15:02 -------- d-------- C:\Program Files\mozilla firefox

2007-01-15 14:21 -------- d-------- C:\Program Files\Common Files\updmgr

2007-01-15 10:53 -------- d-------- C:\Program Files\lavasoft

2007-01-15 10:53 -------- d-------- C:\DOCUME~1\SARAHK~1\Application Data\lavasoft

2007-01-14 20:57 -------- d-------- C:\Program Files\Common Files\installshield

2006-12-19 17:09 276792 --a------ C:\WINDOWS\system32\drivers\srtspl.sys

2006-12-19 17:09 25400 --a------ C:\WINDOWS\system32\drivers\srtspx.sys

2006-12-19 17:09 247096 --a------ C:\WINDOWS\system32\drivers\srtsp.sys

2006-12-07 01:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll

2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll

2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll

2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll

2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll

2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll

2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll

2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll

2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll

2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll

2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll

2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll

2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll

2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe

2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll

2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll

2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe

2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll

2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll

 

 

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"

"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"

"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

"osCheck"="\"C:\\Program Files\\Norton Internet Security\\osCheck.exe\""

"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"Installed"="1"

"NoChange"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Date Manager.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Date Manager.lnk"

"backup"="C:\\WINDOWS\\pss\\Date Manager.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\Program Files\\Date Manager\\DateManager.exe "

"item"="Date Manager"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\GStartup.lnk"

"backup"="C:\\WINDOWS\\pss\\GStartup.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\Program Files\\Common Files\\GMT\\GMT.exe /startup"

"item"="GStartup"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"

"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"

"item"="Microsoft Office"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PrecisionTime.lnk]

"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\PrecisionTime.lnk"

"backup"="C:\\WINDOWS\\pss\\PrecisionTime.lnkCommon Startup"

"location"="Common Startup"

"command"="C:\\Program Files\\PrecisionTime\\PrecisionTime.exe "

"item"="PrecisionTime"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="iTunesHelper"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="NeroCheck"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\System32\\NeroCheck.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="qttask"

"hkey"="HKLM"

"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\S3Hotkey]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="s3hotkey"

"hkey"="HKLM"

"command"="s3hotkey.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SensKeyboard]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="SensKbd"

"hkey"="HKLM"

"command"="C:\\WINDOWS\\System32\\SensKbd.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updmgr]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="updmgr"

"hkey"="HKLM"

"command"="C:\\Program Files\\Common files\\updmgr\\updmgr.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"

"item"="ViewMgr"

"hkey"="HKLM"

"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"

"inimapping"="0"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"Microsoft Update Time"="wuam.exe"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"Microsoft Update Time"="wuam.exe"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"NoDispAppearancePage"=dword:00000000

"NoColorChoice"=dword:00000000

"NoSizeChoice"=dword:00000000

"NoDispBackgroundPage"=dword:00000000

"NoDispScrSavPage"=dword:00000000

"NoDispCPL"=dword:00000000

"NoVisualStyleChoice"=dword:00000000

"NoDispSettingsPage"=dword:00000000

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoActiveDesktopChanges"=dword:00000000

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoActiveDesktop"=dword:00000000

"NoSaveSettings"=dword:00000000

"NoThemesTab"=dword:00000000

"ForceActiveDesktopOn"=dword:00000000

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

 

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Source REG_SZ http://www.hotbar.com/images/interface.gif

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"

 

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService REG_MULTI_SZ DnsCache\0\0

rpcss REG_MULTI_SZ RpcSs\0\0

imgsvc REG_MULTI_SZ StiSvc\0\0

termsvcs REG_MULTI_SZ TermService\0\0

HTTPFilter REG_MULTI_SZ HTTPFilter\0\0

DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

 

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_COMHOST

 

 

Contents of the 'Scheduled Tasks' folder

C:\WINDOWS\tasks\Norton Internet Security - Run Full System Scan - Sarah Klassen.job

 

Completion time: 07-01-20 17:05:39

 

 

 

Thanks again, David,

 

Aaron

Share this post


Link to post
Share on other sites

Hey Aaron, just a handful of things left to do! :)

 

Firstly find and delete this file:

C:\WINDOWS\system32\drivers\etc\hosts.bak

 

Make sure you delete the right one, there will be a legit hosts there too.

 

Please download hoster from here.

Unzip Hoster.zip, and open Hoster.exe

Then click on "Restore Microsoft Hosts File"

Close program when complete.

 

Please open notepad and and copy and paste next bold in it:

(don't forget to copy and paste REGEDIT4)

REGEDIT 4

 

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]

 

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

 

[-HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

 

[-HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

 

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.

It should look like this: reg8ip.gif

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

 

We need to purge your infected system restore points.

On the Desktop, right-click My Computer, then click Properties.

Click the System Restore tab near the top of the window.

Check Turn off System Restore, click Apply, and then click OK.

 

We want to create a new, clean restore point. Please first reboot your computer.

You will be asked to turn system restore on again, click "yes".

On the Desktop, right-click My Computer, then click Properties.

Click the System Restore tab near the top of the window.

Check Turn off System Restore, click Apply, and then click OK.

 

Click Start > All Programs > Accessories > System Tools, and select System Restore.

In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.

Type a description for your new restore point - Something like "After trojan/spyware cleanup".

Click Create, and after it has created the restore point, click "Close".

 

Reboot a final time, let me know how the system is running! :)

Share this post


Link to post
Share on other sites

David,

 

Again, much abliged for all your assistance.

 

I have some feedback for you. First of all, my laptop is running a lot better. However, the boot-time is still taking about 7-10 minutes. I'm not even running all the processes and it's still taking a long time to boot. As an example, the AVG & Norton that populate in the in the System Tray upon loading take a long time to load.

 

Shutdown is taking a long time. I get an "end-program" message for my "ccApp" upon shutdown. I believe that this file is for Norton Internet Security 2007 that I have.

 

Further, upon shutdown, I am receiving a message that lists an alpha-numeric string in quotes, followed by the phrase, "The memory could not be written". The alpha-numeric string are (I think), "0x015ea020" and "0xc2d3d627" respectively.

 

Lastly, the overall response time is slow. As an example, when I click on the Mozilla icon to launch the browser, it will take about 2-3 minutes for the browser window to populate.

 

Also, and I am not sure if you can assist me with this. When I run "Live Update" for my Norton product, it says that It cannot run because Liveupdate is currently running. Norton has an online tool to "force" the update, however, it has to be done everytime which is a bit loathesome. I was under the assumption that the virus/worms/trojan's on the HD were causing this. As of this post, it has not happened, but I was curious if you felt the same, that the infected HD was perhaps manipulating the Live Update to perform subpar.

 

Again, thanks for you help, I await your instruction and insight.

 

Aaron

Share this post


Link to post
Share on other sites

David,

 

I scanned my computer with my Norton Internet Security 2007 product and nothing (besides a tracking cookie) showed. I then used the Kaspersky online scanner again just out of curiosity and sure enough, it showed that there was a "virus". I am not sure what to do once Kaspersky has finished other than save the report, which I did. Previously you gave these instructions to just save, should I apply any actions??

Regardless, I will post this report along with a new HijackThis log.

 

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Sunday, January 21, 2007 2:32:02 PM

Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.83.0

Kaspersky Anti-Virus database last update: 21/01/2007

Kaspersky Anti-Virus database records: 246041

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: standard

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

A:\

C:\

D:\

 

Scan Statistics:

Total number of scanned objects: 29135

Number of viruses found: 1

Number of infected objects: 1 / 0

Number of suspicious objects: 0

Duration of the scan process: 01:07:55

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-01-21_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\735E5DC9.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\D7DCA687.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Sarah Klassen\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Sarah Klassen\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Sarah Klassen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Sarah Klassen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Sarah Klassen\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Sarah Klassen\Local Settings\History\History.IE5\MSHist012007012120070122\index.dat Object is locked skipped

C:\Documents and Settings\Sarah Klassen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Sarah Klassen\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Sarah Klassen\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\RECYCLER\S-1-5-21-773119264-2237029002-1904607352-1005\Dc1.bak Infected: Trojan.Win32.Qhost.f skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{55D2E6EC-5D0D-4557-84A4-EA0A3BE37BA7}\RP2\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

 

Scan process completed.

 

 

 

Logfile of HijackThis v1.99.1

Scan saved at 2:45:05 PM, on 1/21/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.5730.0011)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\Sarah Klassen\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095648174876

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169004032048

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

 

 

 

David, one other question. What do you recommend me doing with all these new programs, tools, and reports that are loaded on my desktop? Currently, I just created a folder and merged everything into it. Should I save all this once we are finished? Can you delete the Reg.fix file? Or does that need to stay for proper functionality??

 

Thanks again!!

Share this post


Link to post
Share on other sites

Hi Aaron, sorry for the delay in the reply. :(

 

You are welcome for the help so far, but I’ll most certainly try and answer your questions. Firstly, I think that you might have a possible conflict between the programs you have running on your PC, in particularly the antivirus/antispyware programs. I just want to reiterate that it’s a possibility, but it could be the cause of the slow down. What sort of system are you running? Is it generally a slow system, has it been this slow for a while? It could be a hardware problem, which would explain these strange error messages you are getting in regards to the memory failure. I’m not very good on the topic of hardware, so perhaps we should try everything non-hardware related before I send you off elsewhere for additional help.

 

How long ago did you install Norton – It’s only a possibility but I’ve had a number of users who have had problems with the 2007 package, where it has conflicted with other programs and slowed the PC down to a crawl. It’s interesting that it’s just AVG and Norton populating the system tray, could be they are locking whilst trying to run. I’d say we should firstly try and disable one of the active guards, then reboot and see if the problem remains.

 

Launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.

The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield" and Automatic Updates.

Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".

Go to Start > Run and type: services.msc, and press OK.

Click the "Extended tab" and scroll down the list to find "AVG Anti-Spyware guard"

When you find the guard service, double-click on it.

In the Properties Window > General Tab that opens, click the "Stop" button.

From the drop-down menu next to "Start-up Type", click on "Manual".

Now click "Apply", then "OK" and close the Services window.

Reboot your computer.

 

Now see if there is any improvement in the system performance. If there isn’t then we know it’s not a conflict between the two programs, and you can reverse the above steps to re-enable the active guard for AVG. Next I want you to defragment your hard-drive...when was the last time you did this?

1. Open My Computer

2. Right-click the local disk volume that you want to defragment, and then click Properties.

3. On the Tools tab, click Defragment Now.

4. Click Defragment.

5. This process takes quite a long time, so be patient.

That should clear up a bit of space, let me know how it goes.

 

The Kaspersky scan hasn’t actually shown me much at all, the infected file was lying in the recycle bin, and you can simply run some commands to remove it.

 

Close all instances of Internet Explorer .

Go to your control panel and open "Internet Options".

Click on the "General" tab.

Click the "Delete Cookies" button, then the "Delete Files" button.

When prompted, place a tick in the "Delete all offline content" box and click OK.

 

Go to start and click on the "run" button.

Type the following in the fox --> cleanmgr and click ok.

Let it scan your system for files to remove.

Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.

Press OK to remove them.

 

All of the things we have downloaded, and the registry fixes you have created can all be delete now.

Complete all the above and let me know if there is any improvement.

I have an underlying feeling this is a memory problem, due to those errors.

We can try a memory test in the next post if need be.

Share this post


Link to post
Share on other sites

David,

 

This is my sisters laptop, and we (you & I) are trying to help her out. She asked me to put the Norton Internet Security on her computer. When I attempted to do so, the software prompted me to remove the previous Symantic product. Well, Install/Remove program would not allow this. Therefore, after much online dialog with Symantec/Norton, I was directed to Symantec Corporate for assistance. The reason was that the AV Software that was on this laptop was a Corporate version. They emailed me a tool to remove it, which worked.

 

In the meantime, while I waited for the email, I defraged the computer, and was checking the Startup files and that is when I found the "wuam" and "winvc32". I searched some databases and then realized what I was up against.

 

I downloaded the AVG AS freeware, updated and ran their stuff. I updated her Adaware and ran that.

 

I then got access to Symantec's Corporate site from the email, and purged the 2002 version of Symantec AV off her computer. I then installed my Norton on her computer (It allows it on up to 3 computers--a point I'll reference to later), and it installed properly--that is until I ran the "Live Update". Since I followed all your instructions I have NOT had any problems running Norton's LiveUpdate (thanks!).

 

The Boot, or Startup time that her computer has taken, however has increased since I have put the Norton and the AVG on it. A side note of compatibility, on MY Desktop, I have AVG and Norton running together and have none of these problems. The Norton software, however, upon installation DID prompt me to remove my copy of SPYWARE DOCTOR due to incompatibility. So I did. --my point that the NORTON and AVG are fine together on my Desktop PC, but seemingly not here on this Laptop.

 

Anyway, the Norton and AVG were installed on this laptop about one day before I posted here.

 

I have again followed all of your instructions, and the computer is still booting slow. Perhaps I should remove the AVG all together. I would like to see what you were talking about the memory problem.

 

David, again, thanks.

 

P.S. Upon shutdown, I still am getting the "End Program" "ccApp" -which is something with Norton, I think.

 

I

Share this post


Link to post
Share on other sites
I have again followed all of your instructions, and the computer is still booting slow. Perhaps I should remove the AVG all together. I would like to see what you were talking about the memory problem.

 

David, again, thanks.

 

P.S. Upon shutdown, I still am getting the "End Program" "ccApp" -which is something with Norton, I think.

ccApp is the tray icon for norton, it also does a number of other things. Is it just coming up briefly or do you have to eventualy click "end now"?

 

You should uninstall avg as it has real time protection and drivers, that may conflict with norton. (conflict behavior is difficult to predict)

Share this post


Link to post
Share on other sites

I already installed the AVG, and it seems to have helped somewhat. As far as the "ccApp" it populates briefly and then continues to shut down.

 

Further, upon shutdown, I am receiving a message that lists an alpha-numeric string in quotes, followed by the phrase, "The memory could not be written". The alpha-numeric string are (I think), "0x015ea020" and "0xc2d3d627" respectively.

 

This is my only other problem, as I am assuming that the HD is now clean. (?) Should I repost another HiJackThis log for confirmation?

 

Please Advise.

Share this post


Link to post
Share on other sites
I already installed the AVG, and it seems to have helped somewhat. As far as the "ccApp" it populates briefly and then continues to shut down.
This is normal if norton is working correctly, it is just windows (successfully) waiting for ccapp.exe to exit.

 

This is my only other problem, as I am assuming that the HD is now clean.
Give more details on this, the specific numbers aren't so important as anything else (how often, what else does it say, etc...).

Share this post


Link to post
Share on other sites

Hi Aaron! :)

 

You may be right, but I don't feel that an "end program" error message is something I would classify as normal activity. A guy who lives down my road has Norton installed on his PC, and I remembered he had a similar problem with ccapp.exe crashing when he was shutting down. He couldn't remember exactly, but it was something to do with Norton scanning the floppy disk drive on shutdown. I searched for a while and found a possible solution. Now, I'm not 100% sure if this feature is installed on 2007 or not, this guy was using the 06 version, but I think it's worth a try anyway. I don't really just want to dismiss it.

 

Start Norton AntiVirus.

 

Click Options. If you see a menu, click Norton AntiVirus.

 

In the Norton AntiVirus Options dialog box, in the left pane, double-click Auto-Protect. Click Advanced.

 

In the right pane, uncheck Scan floppy disk in A: for boot viruses when shutting down.

 

Click OK and restart the computer.

 

Let me know if that helps. I have a feeling that ccapp.exe will sometimes crash whilst trying to find out if there is actually a floppy disk in the drive. I assume that you probably don't use floppy disks anymore, so it could be a possible cause of the problem. If that doesn't work, as you recently installed the program, I would reinstall the security suite altogether. It may have been a slight problem in the installation itself that caused the problem, so reinstalling might fix it. One the best ways to fix software problems is by a reinstallation. If, even after the reinstallation, the problem still persists, then as Ai_Tak suggested , you might just have to live with it. I sent Norton an email over the issue, and I got this reply:

 

"This message does not indicate a problem. The main Norton AntiVirus (NAV) host file, ccApp.exe, is in the process of closing all running services. The ccApp.exe file can take some time to close, especially if the computer was shut down before it finished its last startup process. Be patient. If Windows does not close the application in a few seconds, then click End Now to close the program and allow the restart/shut down process to continue."

 

If it really is something that bugs you, you could switch to an alternative antivirus program. Some free programs are highly rated, I've listed a few below, just in case you find it helpful:

http://free.grisoft.com/freeweb.php/doc/2/

http://www.avast.com/eng/avast_4_home.html

 

Let me know how you get on!

Share this post


Link to post
Share on other sites

David,

 

All is well with the computer! It's clean! Thanks for all your help. It's still slow, but since it's my sisters and not mine, she'll have to deal with it. I've already spent more time than anticipated on it!

 

Many thanks!

 

I will be posting a new thread regarding my Desktop computer, as the Kaspersky scan found a Trojan that Norton wasn't finding, and I can't seem to get rid of it.

 

Aaron

Share this post


Link to post
Share on other sites

Glad I could help Aaron! :)

The latest log is looking clean!

Follow this list and your potential for being infected again will be reduced dramatically.

 

Use an Anti Virus Software -

* It is very important that your computer has an anti-virus software running on your machine.

* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:

* Click here for more information on -> Computer Safety On line - Anti-Virus

* I would recommend Grisoft's AVG or AVAST.

* These are the more secure and better ones.

 

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

 

Use a Firewall -

* I can not stress how important it is that you use a Firewall on your computer.

* Without a firewall your computer is susceptible to being hacked and taken over.

* Simply using a Firewall in its default configuration can lower your risk greatly.

* For an article on Firewalls and a listing of some available ones see the link below:

* Click here for more information on -> Computer Safety On line - Software Firewalls

* I would recommend ZoneAlarm as a firewall as it's easy to use.

 

Visit Microsoft's Windows Update Site Frequently -

* It is important that you visit http://www.windowsupdate.com regularly.

* This will ensure your computer has always the latest security updates available installed on your computer.

* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

 

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

 

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.

* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.

* You should also scan your computer with program on a regular basis just as you would an anti virus software.

* A tutorial on installing & using this product can be found here:

* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

 

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.

* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.

* A tutorial on installing & using this product can be found here:

* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

 

Install Javacools© SpywareBlaster -

* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.

* A article on anti-malware products with links for this program and others can be found here:

* Click here for more info -->Computer Safety on line - Anti-Malware

 

Update all these programs regularly - Make sure you update all the programs I have listed regularly.

Without regular updates you WILL NOT be protected when new malicious programs are released.

 

If you have any addition questions just ask...

David

Share this post


Link to post
Share on other sites

David, again, thanks for all your help. Sorry it took so long to respond.

 

I am about to post a new thread for my PC (this current thread was for my sisters laptop).

I have this Trojan.Win32.Qhost.ew that will not go away.

Share this post


Link to post
Share on other sites
Sign in to follow this